際際滷

際際滷Share a Scribd company logo

SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align Goals with Actions

William Newman
William Newman

Presentation to the 2013 SAP Inside Track and ASUG Ontario meetings June 19, 2013. Overview of five elements for enterprise risk management (ERM) using SAP RM10 as well as case study and best practices for audit management and supply chain risk management.

1 of 32
Downloaded 38 times
Enterprise Risk Management using RM10 Align to Your Goals and Actions William Newman, CMC, MBA Managing Principal, Newport Consulting Group Communications Chair, ASUG Michigan Chapter
We are the ASUG Michigan Chapter. With over 2,500 ASUG members and home to the Automotive SIG and key working groups. We offer three meetings annually: March - Joint Meeting with Automotive SIG (Detroit) June Joint Meeting with West Michigan CWG (Grand Rapids) June 27, 2013 sponsored by GVSU September / October UA Partner meeting (Mount Pleasant) October 3, 2013 sponsored by CMU Join us, we are just a lake away! Great Lakes, Great Times. GREETINGS FROM MICHIGAN Your Great Lakes Friends! Twitter: @asug_michigan
Managing Principal, Newport Consulting Group Member, SAP Sustainability Executive Advisory Council, Business Influencer Program, Office of CFO Marketing Certified Management Consultant (since 1995) Adjunct faculty - Northwood University (International Management, Sustainability Management, member UA program), University of Oregon Sustainable Leadership Program (Sustainable Supply Chain) Professional Speaker (ASUG, SAP Insider, TEDx, Sustainable Business Forum, MACPA, SAI, Supply Chain Council, SAP Experts), Writer, SAP Press author Understanding BusinessObjects Enterprise Performance Management (EPM) SCN Blog it Forward post: http://scn.sap.com/community/about/blog/2012/10/24/blog-it- forward--william-newman Hello. Call me Bill please Introductions @william_newman
Understanding the basis for Enterprise Risk Management (ERM) Executive Challenges Aligning to Goals and Actions SAP Risk Management 10 Platform for ERM Considerations for Audit Practices Considerations for Supply Chain Risk Activities A Case Review How One Organization Got Started Links and References Key Take-away Points Summary and Discussion Todays Agenda Agenda @william_newman
Understanding Enterprise Risk Management @william_newman Enterprise Risk Management represents a company-wide approach to risk management activities in a holistic, pragmatic, and managed approach across multiple company operations, functions, and activities. - As abstracted from the Global Accenture Risk Management Report, 2011
Understanding Enterprise Risk Management @william_newman Aligning Risk Appetite and Strategy Enhancing Risk Response Decisions Reducing Operational Surprises and Losses Identifying and Managing Multiple Cross Enterprise Risks Seizing Opportunities Improving Deployment of Capital ERM objectives typically include some or all of the following: Source: SAP, 2012 as modified by Newport Consulting Group Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
Executive Challenges Aligning Goals to Actions @william_newman Challenges remain as to motive, satisfaction and capabilities
Executive Challenges Aligning Goals to Actions @william_newman Additional Sources: Discontinuity of risk management practices, in terms of demand, satisfaction, and board level understanding (various sources: The Economist Intelligence Unit Survey, Ascending the Maturity Curve (March, 2011); McKinsey Global Survey, Governance since the Economic Crisis (March, 2011); Report on the 2011 Accenture Global Risk Management Study, (February, 2011) which suggests a certain call to action for executives. Practical knowledge of risk management concepts and principles are needed in the corporate environment as never before, and executives have created demand for this knowledge. How this knowledge is crafted into ERM practices, standards, and guidelines inside of corporate policy is open for revision. Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.
SAP Risk Management 10 ERM Platform @william_newman 1 2 3 ERM is not linked to fundamental value drivers of the business Shareholder devaluation occurs based on measuring nonproductive drivers ERM is not focused significantly or deeply enough on the broad value-killer, fat-tail risks SAP recognizes there are 3 primary reasons for ERM failure: Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.
SAP Risk Management 10 ERM Platform @william_newman SAP Business Suite and LOB Processes (example: Supply Chain) KPIs, Metrics, Measures (BI Analytics, EPM solutions) Impacts to Measures (BI Analytics, GRC & other solutions) Mitigation and Remediation Plans (GRC RM, PC, AC, ERP-PS) Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. Overall Audit Documentation
SAP Risk Management 10 ERM Platform @william_newman Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. 1 2
SAP Risk Management 10 ERM Platform @william_newman 3 4 Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. SAP Risk Management 10 allows for a graphical view to portray bow tie risk formats, including risk drivers, impacts.
SAP Risk Management 10 ERM Platform @william_newman Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. 5 6 The Bow Tie Builder graphical view allows specific risk driver and impact descriptions meaningful to specific organizations.
SAP Risk Management 10 ERM Platform @william_newman Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. Risk actions such as mitigations may be added from the Bow Tie Builder. 7 You can identify specific areas of the risk, associated with organizations and processes. A common mitigation action is an audit program, lets see how RM10 works to support audit programs and functional risk areas.
Considerations for Audit Practices @william_newman Business audits are increasingly standard as a risk management function across a number of different functions including: Information Technology (SAS 70, SSAE 16) Financial Management processes (SOX 404, Dodd-Frank) Information Use (ITAR, security constraints) Sustainability (LEED, SA 8000, Natural Step, GRI) Assurance activities (AA 1000) Quality Management processes (ISO 9000, CAPA, APQP) Environmental Management processes (ISO 14000) Product Compliance Regulations (ROHS, REACH, ELV) Treasury Management and Currency Exchange (SWIFT) Audits are not just for IT system management anymore!
Considerations for Audit Practices @william_newman Regardless of the business function or processes, most agree the audit format contains several common stages and activities. Source: Adapted from IIA, University of Illinois materials, as modified by Newport Consulting Group.
Considerations for Audit Practices @william_newman SAP NetWeavers Audit Management allows full program life cycle management for internal audit activities, including: Information Technology Management Systems, and Financial Operations As part of the SAP NetWeaver platform, SAP NetWeavers Audit Management connects seamlessly with specific SAP modules such as SAP ERP Project System SAP ERP HCM SAP Risk Management New updates for SAP GRC 10.0 release! Ships FREE with Business Suite! Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
2 Considerations for Audit Practices @william_newman Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011) 1 In this example we can associate an Accounts Payable audit with both financial operations and even treasury risks if involving foreign currencies and operating units.
During the execution stage of an audit, work papers often suggest corrective or preventive actions in real time. SAP NetWeaver audit management allows you to identify these work papers and capture remediation actions on the fly so that these can be automatically summarized in the findings report. Considerations for Audit Practices @william_newman 3 Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman Functional Risk Management can look at many areas, including supply chain disruptions due to disasters, business continuity, and sociopolitical risk
Read my article on supply chain visibility in SCN MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman which can then roll-up and into a broader ERM program environment, providing transparency and proactive management. Source: Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010).
MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman SAP Supply Chain Performance Management 2.0 allows for supply chain risks to be mapped to RM10 as part of an overall ERM program portfolio. These risks can also be associated with key risk indicators (KRIs) and SCOR 11 operating models key performance indicators (KPIs) which can help to minimize financial and operational risk targets and increase performance. Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012) Listen to my SCOR11 review on IXN Podcast in iTunes (IXN002)
MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012) In this example we can link a risk from RM10 into performance measurements and operational data found in SCPM 2.0 1 2
Case Study How One Organization Got Started @william_newman Large Multinational Organization Major SAP transformation underway Third party purchased existing PC-based audit software (burning platform) Looked to leverage AIS function of ECC (near term) as well as RM10, PC10 capabilities (downstream) Example audit risk management engagement Based on this, the organizations internal audit department looked at how to leverage Access Controls, Process Controls, and NetWeaver Audit Management with Risk Management 10.
Case Study How One Organization Got Started @william_newman System Topology The concept of using the records tracking inside AIS of ECC 6.0, combined with the document management features of NW Audit Management was compelling.
Case Study How One Organization Got Started @william_newman System Context Fortunately the process for conducting the audit was reasonably consistent across business audit domains. Much of the system context was on workflow, approvals.
Case Study How One Organization Got Started @william_newman Permissions Once roles and workflow were defined a permissions matrix was determined based on modified CRUD-M level access to audit report and working papers documentation. ILLUSTRATIVE
Case Study How One Organization Got Started @william_newman Other aspects SAP User Roles would determine AC permissions for NW Audit Management based on audit eventually stage gate position using PC Integrated message system between NW Audit Management and SAP Messaging, Microsoft Outlook AIS would feed auditor working papers based on ISACA T-codes and scenario basis ILLUSTRATIVE
Links and References @william_newman Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010) Newman, William. Reduce Risk in your Supply Chain with Supply Chain Performance Management, GRC Expert (March 12, 2010) login required Newman, William. How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (October 4, 2011) login required Newman, William. Increase Enterprise Risk Management Performance with Risk Management 10.0, GRC Expert (April 18, 2012) login required Newman, William. The Bow Tie Builder Tool, GRC Expert (May 1, 2012) login required Newman, William. Supply Chain Management 2.0 Offers Better Integration, Analytics, searchSAP.com (March 21, 2012) Stackpole, Beth. Deploying Supply Chain Management Software Hinges on Breadth, Depth, Integration, searchManufacturingERP.com (April 18, 2012) Stackpole, Beth. Ripe with Opportunity, Global Supply Chain also Brings Substantial Risk, searchManufacturingERP.com (March 14, 2012)
Key Take Away Points @william_newman 1. There is a great need for Enterprise Risk Management (ERM) and a lot of confusion as to what this means. This creates significant opportunity for SAP and its partners. 2. SAP Risk Management 10.0 offers a great platform to build, manage, and assess the effectiveness of an ERM program 3. As part of mitigation activities, organizations are looking towards audits to build these actions into their ERM programs. SAP NetWeaver Audit Management offers easy to use connections into RM10 and other GRC tools. 4. Functional risk management allows deeper dives into specific processes, functions and operational activities in the organization. 5. SAP Supply Chain Performance Management 2.0 allows for quick integration to RM10 risk activities while leveraging the Supply Chain Council SCOR model and SCRP framework.
Discussion @william_newman
Contact @william_newman William Newman, CMC, MBA Managing Principal / Owner Newport Consulting Group, LLC +1 (248) 978 2000 wnewman@newportconsgroup.com www.newportconsgroup.com Visit the ASUG Michigan Chapter! http://www.asug.com/chapters/4149 Thank you.

More Related Content

SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align Goals with Actions

  • 1. Enterprise Risk Management using RM10 Align to Your Goals and Actions William Newman, CMC, MBA Managing Principal, Newport Consulting Group Communications Chair, ASUG Michigan Chapter
  • 2. We are the ASUG Michigan Chapter. With over 2,500 ASUG members and home to the Automotive SIG and key working groups. We offer three meetings annually: March - Joint Meeting with Automotive SIG (Detroit) June Joint Meeting with West Michigan CWG (Grand Rapids) June 27, 2013 sponsored by GVSU September / October UA Partner meeting (Mount Pleasant) October 3, 2013 sponsored by CMU Join us, we are just a lake away! Great Lakes, Great Times. GREETINGS FROM MICHIGAN Your Great Lakes Friends! Twitter: @asug_michigan
  • 3. Managing Principal, Newport Consulting Group Member, SAP Sustainability Executive Advisory Council, Business Influencer Program, Office of CFO Marketing Certified Management Consultant (since 1995) Adjunct faculty - Northwood University (International Management, Sustainability Management, member UA program), University of Oregon Sustainable Leadership Program (Sustainable Supply Chain) Professional Speaker (ASUG, SAP Insider, TEDx, Sustainable Business Forum, MACPA, SAI, Supply Chain Council, SAP Experts), Writer, SAP Press author Understanding BusinessObjects Enterprise Performance Management (EPM) SCN Blog it Forward post: http://scn.sap.com/community/about/blog/2012/10/24/blog-it- forward--william-newman Hello. Call me Bill please Introductions @william_newman
  • 4. Understanding the basis for Enterprise Risk Management (ERM) Executive Challenges Aligning to Goals and Actions SAP Risk Management 10 Platform for ERM Considerations for Audit Practices Considerations for Supply Chain Risk Activities A Case Review How One Organization Got Started Links and References Key Take-away Points Summary and Discussion Todays Agenda Agenda @william_newman
  • 5. Understanding Enterprise Risk Management @william_newman Enterprise Risk Management represents a company-wide approach to risk management activities in a holistic, pragmatic, and managed approach across multiple company operations, functions, and activities. - As abstracted from the Global Accenture Risk Management Report, 2011
  • 6. Understanding Enterprise Risk Management @william_newman Aligning Risk Appetite and Strategy Enhancing Risk Response Decisions Reducing Operational Surprises and Losses Identifying and Managing Multiple Cross Enterprise Risks Seizing Opportunities Improving Deployment of Capital ERM objectives typically include some or all of the following: Source: SAP, 2012 as modified by Newport Consulting Group Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
  • 7. Executive Challenges Aligning Goals to Actions @william_newman Challenges remain as to motive, satisfaction and capabilities
  • 8. Executive Challenges Aligning Goals to Actions @william_newman Additional Sources: Discontinuity of risk management practices, in terms of demand, satisfaction, and board level understanding (various sources: The Economist Intelligence Unit Survey, Ascending the Maturity Curve (March, 2011); McKinsey Global Survey, Governance since the Economic Crisis (March, 2011); Report on the 2011 Accenture Global Risk Management Study, (February, 2011) which suggests a certain call to action for executives. Practical knowledge of risk management concepts and principles are needed in the corporate environment as never before, and executives have created demand for this knowledge. How this knowledge is crafted into ERM practices, standards, and guidelines inside of corporate policy is open for revision. Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.
  • 9. SAP Risk Management 10 ERM Platform @william_newman 1 2 3 ERM is not linked to fundamental value drivers of the business Shareholder devaluation occurs based on measuring nonproductive drivers ERM is not focused significantly or deeply enough on the broad value-killer, fat-tail risks SAP recognizes there are 3 primary reasons for ERM failure: Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.
  • 10. SAP Risk Management 10 ERM Platform @william_newman SAP Business Suite and LOB Processes (example: Supply Chain) KPIs, Metrics, Measures (BI Analytics, EPM solutions) Impacts to Measures (BI Analytics, GRC & other solutions) Mitigation and Remediation Plans (GRC RM, PC, AC, ERP-PS) Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. Overall Audit Documentation
  • 11. SAP Risk Management 10 ERM Platform @william_newman Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. 1 2
  • 12. SAP Risk Management 10 ERM Platform @william_newman 3 4 Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. SAP Risk Management 10 allows for a graphical view to portray bow tie risk formats, including risk drivers, impacts.
  • 13. SAP Risk Management 10 ERM Platform @william_newman Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. 5 6 The Bow Tie Builder graphical view allows specific risk driver and impact descriptions meaningful to specific organizations.
  • 14. SAP Risk Management 10 ERM Platform @william_newman Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012. Risk actions such as mitigations may be added from the Bow Tie Builder. 7 You can identify specific areas of the risk, associated with organizations and processes. A common mitigation action is an audit program, lets see how RM10 works to support audit programs and functional risk areas.
  • 15. Considerations for Audit Practices @william_newman Business audits are increasingly standard as a risk management function across a number of different functions including: Information Technology (SAS 70, SSAE 16) Financial Management processes (SOX 404, Dodd-Frank) Information Use (ITAR, security constraints) Sustainability (LEED, SA 8000, Natural Step, GRI) Assurance activities (AA 1000) Quality Management processes (ISO 9000, CAPA, APQP) Environmental Management processes (ISO 14000) Product Compliance Regulations (ROHS, REACH, ELV) Treasury Management and Currency Exchange (SWIFT) Audits are not just for IT system management anymore!
  • 16. Considerations for Audit Practices @william_newman Regardless of the business function or processes, most agree the audit format contains several common stages and activities. Source: Adapted from IIA, University of Illinois materials, as modified by Newport Consulting Group.
  • 17. Considerations for Audit Practices @william_newman SAP NetWeavers Audit Management allows full program life cycle management for internal audit activities, including: Information Technology Management Systems, and Financial Operations As part of the SAP NetWeaver platform, SAP NetWeavers Audit Management connects seamlessly with specific SAP modules such as SAP ERP Project System SAP ERP HCM SAP Risk Management New updates for SAP GRC 10.0 release! Ships FREE with Business Suite! Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
  • 18. 2 Considerations for Audit Practices @william_newman Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011) 1 In this example we can associate an Accounts Payable audit with both financial operations and even treasury risks if involving foreign currencies and operating units.
  • 19. During the execution stage of an audit, work papers often suggest corrective or preventive actions in real time. SAP NetWeaver audit management allows you to identify these work papers and capture remediation actions on the fly so that these can be automatically summarized in the findings report. Considerations for Audit Practices @william_newman 3 Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
  • 20. MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman Functional Risk Management can look at many areas, including supply chain disruptions due to disasters, business continuity, and sociopolitical risk
  • 21. Read my article on supply chain visibility in SCN MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman which can then roll-up and into a broader ERM program environment, providing transparency and proactive management. Source: Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010).
  • 22. MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman SAP Supply Chain Performance Management 2.0 allows for supply chain risks to be mapped to RM10 as part of an overall ERM program portfolio. These risks can also be associated with key risk indicators (KRIs) and SCOR 11 operating models key performance indicators (KPIs) which can help to minimize financial and operational risk targets and increase performance. Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012) Listen to my SCOR11 review on IXN Podcast in iTunes (IXN002)
  • 23. MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012) In this example we can link a risk from RM10 into performance measurements and operational data found in SCPM 2.0 1 2
  • 24. Case Study How One Organization Got Started @william_newman Large Multinational Organization Major SAP transformation underway Third party purchased existing PC-based audit software (burning platform) Looked to leverage AIS function of ECC (near term) as well as RM10, PC10 capabilities (downstream) Example audit risk management engagement Based on this, the organizations internal audit department looked at how to leverage Access Controls, Process Controls, and NetWeaver Audit Management with Risk Management 10.
  • 25. Case Study How One Organization Got Started @william_newman System Topology The concept of using the records tracking inside AIS of ECC 6.0, combined with the document management features of NW Audit Management was compelling.
  • 26. Case Study How One Organization Got Started @william_newman System Context Fortunately the process for conducting the audit was reasonably consistent across business audit domains. Much of the system context was on workflow, approvals.
  • 27. Case Study How One Organization Got Started @william_newman Permissions Once roles and workflow were defined a permissions matrix was determined based on modified CRUD-M level access to audit report and working papers documentation. ILLUSTRATIVE
  • 28. Case Study How One Organization Got Started @william_newman Other aspects SAP User Roles would determine AC permissions for NW Audit Management based on audit eventually stage gate position using PC Integrated message system between NW Audit Management and SAP Messaging, Microsoft Outlook AIS would feed auditor working papers based on ISACA T-codes and scenario basis ILLUSTRATIVE
  • 29. Links and References @william_newman Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010) Newman, William. Reduce Risk in your Supply Chain with Supply Chain Performance Management, GRC Expert (March 12, 2010) login required Newman, William. How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (October 4, 2011) login required Newman, William. Increase Enterprise Risk Management Performance with Risk Management 10.0, GRC Expert (April 18, 2012) login required Newman, William. The Bow Tie Builder Tool, GRC Expert (May 1, 2012) login required Newman, William. Supply Chain Management 2.0 Offers Better Integration, Analytics, searchSAP.com (March 21, 2012) Stackpole, Beth. Deploying Supply Chain Management Software Hinges on Breadth, Depth, Integration, searchManufacturingERP.com (April 18, 2012) Stackpole, Beth. Ripe with Opportunity, Global Supply Chain also Brings Substantial Risk, searchManufacturingERP.com (March 14, 2012)
  • 30. Key Take Away Points @william_newman 1. There is a great need for Enterprise Risk Management (ERM) and a lot of confusion as to what this means. This creates significant opportunity for SAP and its partners. 2. SAP Risk Management 10.0 offers a great platform to build, manage, and assess the effectiveness of an ERM program 3. As part of mitigation activities, organizations are looking towards audits to build these actions into their ERM programs. SAP NetWeaver Audit Management offers easy to use connections into RM10 and other GRC tools. 4. Functional risk management allows deeper dives into specific processes, functions and operational activities in the organization. 5. SAP Supply Chain Performance Management 2.0 allows for quick integration to RM10 risk activities while leveraging the Supply Chain Council SCOR model and SCRP framework.
  • 32. Contact @william_newman William Newman, CMC, MBA Managing Principal / Owner Newport Consulting Group, LLC +1 (248) 978 2000 wnewman@newportconsgroup.com www.newportconsgroup.com Visit the ASUG Michigan Chapter! http://www.asug.com/chapters/4149 Thank you.